DEV Community

Amree Zaid
Amree Zaid

Posted on

How Bcrypt Compares Password

Creating password in database:

> password = 'secret'
> encrypted_password_in_database = BCrypt::Password.create(password)

Enter fullscreen mode Exit fullscreen mode

Comparing password:

> BCrypt::Password.new(encrypted_password_in_database) == 'secret'
=> true
Enter fullscreen mode Exit fullscreen mode

== is actually a method defined in bcrypt-ruby

Devise is comparing it using something like constant-time secure comparison but bcrypt-ruby project decided not to go with that. Read more about it here:

Top comments (4)

Collapse
 
philnash profile image
Phil Nash

Those are some really interesting arguments in the bcrypt issues/PRs. I guess I take the opinion that you can never have too much security, so I would include the constant time string comparison as well. I'm glad Devise does that.

Collapse
 
victorhazbun profile image
Victor Hazbun

It seems like constant-time secure comparison is not necessary because users won't submit hashed data via parameters. Timing attacks are effective only when the user submits hashed data and then the server compares the data against whatever is in the DB .

Collapse
 
rhymes profile image
rhymes

Judging from the responses I don't think they're ever going to adopt the change, though it's not like the default it's inherently insecure...

But you can change the encryptor Devise uses, maybe to something like Argon2 using devise-argon2

Collapse
 
amree profile image
Amree Zaid

TIL about argon and scrypt. Awesome link 👍